[INFRA-373]: enforce non-empty RUNNER_HMAC_SECRET_KEY for runner

[sriramveeraghanta]

Description

Follow-up to #225. Addresses the CodeRabbit review comment that the runner-env Secret was rendering an empty RUNNER_HMAC_SECRET_KEY whenever services.runner.enabled=true and no external secret was provided, which is an unsafe default and silently breaks HMAC auth/signature guarantees.

This change replaces the default "" with Helm's required function on .Values.env.runner_envs.hmac_secret_key, so helm template / helm install fails fast with a clear message when the value is missing — and only when the internal secret is actually being rendered (the required is gated by the existing if and .Values.services.runner.enabled (empty .Values.external_secrets.runner_env_existingSecret) block).

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Test Scenarios

Verified via helm template charts/plane-enterprise:

1. Runner disabled (default) — no runner resources rendered; chart renders cleanly.
2. Runner enabled, hmac_secret_key not set, no external secret — fails fast with:
   Error: execution error at (.../runner-env.yaml:9:29): env.runner_envs.hmac_secret_key must be set when services.runner.enabled=true and external_secrets.runner_env_existingSecret is empty
3. Runner enabled, hmac_secret_key set — Secret renders with the provided value.
4. Runner enabled, external_secrets.runner_env_existingSecret set — internal Secret is skipped (no required triggered); Deployment references the external secret as before.

References

• INFRA-373
• Follow-up to [INFRA-373]: add runner service to the helm charts #225 (CodeRabbit review comment)

Summary by CodeRabbit

• Bug Fixes
  • The Runner service configuration now enforces that the HMAC secret key must be explicitly provided, eliminating the possibility of an empty fallback value that could cause issues.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f0247f14-e1d6-4f96-99ba-fb392b0d1542

📥 Commits

Reviewing files that changed from the base of the PR and between 71212f0 and 4b6cc53.

📒 Files selected for processing (1)

• charts/plane-enterprise/templates/config-secrets/runner-env.yaml

---

Walkthrough

The PR modifies the runner environment secrets template to require explicit configuration of the HMAC secret key. Instead of defaulting to an empty string, the template now enforces that env.runner_envs.hmac_secret_key must be explicitly provided when runner services are enabled and no external secret is configured.

Changes

Runner Configuration Validation

Layer / File(s)	Summary
Required HMAC secret validation charts/plane-enterprise/templates/config-secrets/runner-env.yaml	RUNNER_HMAC_SECRET_KEY value generation is updated to require explicit configuration via Helm's required function, removing the prior default "" fallback behavior. The value is enforced when runner is enabled and no external secret exists.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A secret once empty, now declared with care,
The runner demands what it needs to share,
No silent defaults in the Helm confess,
Just truthful values, nothing less. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: enforcing a non-empty RUNNER_HMAC_SECRET_KEY requirement for the runner component in the Helm chart. It is specific, directly related to the changeset, and uses a ticket reference for context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/runner-hmac-required

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• [INFRA-373] add runner to helm chart of plane-enterprise

This comment was auto-generated by Plane